diff --git a/README.md b/README.md index 78036c6..2d08716 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,27 @@ # pySigma-yml-pipeline Unofficial pySigma Yaml pipeline + +# Useful information + +This depot is not linked to SigmaHQ or pySigma. + +This is an open library for pySigma pipelines in yaml format. +You can use them, improve them or add new ones. + +# Folder +## elastalert +- elastalert_any from https://x.com/frack113/status/1697904485031399431 + +## elastic +- ecs_1_winlogbeat ECS 1.xx winlogbeat field mapping +- ecs_1_filebeat ECS 1.xx filebeat field mapping (only auditd module) + +## misc +- placerholder from [sigmahq bloq](https://blog.sigmahq.io/building-flexible-detections-with-sigma-placeholders-7c1b814e2860) +- processing from [sigmahq bloq](https://blog.sigmahq.io/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070) +- field_mapping from [sigmahq bloq](https://blog.sigmahq.io/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070) + +## splunk +- splunk-savedsearches-concat from [sigmahq bloq](https://blog.sigmahq.io/introducing-query-post-processing-and-output-finalization-to-processing-pipelines-4bfe74087ac1) +- splunk-savedsearches-template from [sigmahq bloq](https://blog.sigmahq.io/introducing-query-post-processing-and-output-finalization-to-processing-pipelines-4bfe74087ac1) + diff --git a/elastalert/elastalert_any.yml b/elastalert/elastalert_any.yml new file mode 100644 index 0000000..df11bc2 --- /dev/null +++ b/elastalert/elastalert_any.yml @@ -0,0 +1,22 @@ +postprocessing: + - type: template + template: |+ + name: {{ rule.id }} + description: {{ rule.title }} + owner: {{ rule.author }} + + type: any + priority:{% set priority = ({"critical":4, "high":3, "medium":2, "low":1, "informational":0 })%} {{ priority["%s" % rule.level]}} + alert: + - debug + + # The Detection Warning miss the index information in the lucene output + index: linux-* + filter: + - query: + query_string: + query: '{{ query }}' + + +finalizers: + - type: concat \ No newline at end of file diff --git a/elastic/ecs_1_filebeat.yml b/elastic/ecs_1_filebeat.yml new file mode 100644 index 0000000..fb9670e --- /dev/null +++ b/elastic/ecs_1_filebeat.yml @@ -0,0 +1,60 @@ +name: Mapping Filebeat ECS 1.x +priority: 30 +transformations: + +# Auditd Module + - id: field_mapping_module_auditd + type: field_name_mapping + mapping: + acct: user.name + addr: source.address + agid: user.audit.group.id + arch: host.architecture + auid: user.audit.id + comm: process.name + cwd: process.working_directory + dst: destination.address + egid: user.effective.group.id + euid: user.effective.id + exe: process.executable + exit: process.exit_code + fsgid: user.filesystem.group.id + fsuid: user.filesystem.id + gid: user.group.id + msg: message + ogid: user.owner.group.id + ouid: user.owner.id + pid: process.pid + ppid: process.ppid + record_type: event.action + res: event.outcome + sgid: user.saved.group.id + src: source.address + suid: user.saved.id + terminal: user.terminal + uid: user.id + user: user.name + rule_conditions: + - type: logsource + service: auditd + + - id: auditd_field_prefix + type: field_name_prefix + prefix: "auditd.log." + field_name_cond_not: true + field_name_conditions: + - type: processing_item_applied + processing_item_id: field_mapping_module_auditd + rule_conditions: + - type: logsource + service: auditd + + +# Global filebeat index + - id: index_condition + type: add_condition + conditions: + index: filebeat + rule_conditions: + - type: logsource + service: auditd diff --git a/elastic/ecs_1_winlogbeat.yml b/elastic/ecs_1_winlogbeat.yml new file mode 100644 index 0000000..60e8520 --- /dev/null +++ b/elastic/ecs_1_winlogbeat.yml @@ -0,0 +1,172 @@ +name: Mapping Winlogbeat ECS 1.x +priority: 30 +transformations: + + - id: field_mapping + type: field_name_mapping + mapping: + AccountDomain: user.domain + AccountName: user.name + Application: process.executable + Archived: sysmon.file.archived + Channel: winlog.channel + ClientAddress: source.ip + ClientName: source.domain + CommandName: powershell.command.name + CommandPath: powershell.command.path + CommandType: powershell.command.type + ComputerName: winlog.computer_name + CurrentDirectory: process.working_directory + DestAddress: destination.ip + Destination: process.executable + DestinationHostname: destination.domain + DestinationIp: destination.ip + DestinationPort: destination.port + DestinationPortName: network.protocol + DestPort: destination.port + Device: file.path + FileName: file.path + HostApplication: process.command_line + HostId: process.entity_id + HostName: process.title + Image: process.executable + ImageLoaded: file.path + IpAddress: source.ip + IpPort: source.port + IsExecutable: sysmon.file.is_executable + MessageNumber: powershell.sequence + MessageTotal: powershell.total + NewEngineState: powershell.engine.new_state + NewProcessId: process.pid + NewProcessName: process.executable + NewProviderState: powershell.provider.new_state + ParentCommandLine: process.parent.command_line + ParentImage: process.parent.executable + ParentProcessGuid: process.parent.entity_id + ParentProcessId: process.parent.pid + ParentProcessName: process.parent.name + PipelineId: powershell.pipeline_id + PipeName: file.name + PreviousEngineState: powershell.engine.previous_state + ProcessGuid: process.entity_id + ProcessId: process.pid + ProcessName: process.executable + Provider_Name: winlog.provider_name + ProviderName: powershell.provider.name + QueryName: dns.question.name + QueryStatus: sysmon.dns.status + RunspaceId: powershell.runspace_id + ScriptBlockId: powershell.file.script_block_id + ScriptBlockText: powershell.file.script_block_text + ScriptName: file.path + SequenceNumber: event.sequence + SignatureStatus: file.code_signature.status + Signed: file.code_signature.signed + SourceAddress: source.ip + SourceHostname: source.domain + SourceImage: process.executable + SourceIp: source.ip + SourcePort: source.port + SourceProcessGuid: process.entity_id + SourceProcessId: process.pid + SourceThreadId: process.thread.id + TargetDomainName: user.domain + TargetFilename: file.path + TargetObject: registry.path + WorkstationName: source.domain + + - id: field_mapping_driver_loaded + type: field_name_mapping + mapping: + Signature: file.code_signature.subject_name + rule_conditions: + - type: logsource + category: driver_loaded + + - id: field_mapping_image_load + type: field_name_mapping + mapping: + FileVersion: file.pe.file_version + Description: file.pe.description + Company: file.pe.company + Product: file.pe.product + OriginalFileName: file.pe.original_file_name + Signature: file.code_signature.subject_name + rule_conditions: + - type: logsource + category: image_load + + - id: field_mapping_network_connection + type: field_name_mapping + mapping: + Protocol: network.transport + Initiated: network.direction + rule_conditions: + - type: logsource + category: network_connection + + - id: field_mapping_powershell_classic + type: field_name_mapping + mapping: + CommandLine: powershell.command.value + EngineVersion: powershell.engine.version + HostVersion: powershell.process.executable_version + rule_conditions: + - type: logsource + service: powershell-classic + + - id: field_mapping_process_creation + type: field_name_mapping + mapping: + FileVersion: process.pe.file_version + Description: process.pe.description + Product: process.pe.product + Company: process.pe.company + OriginalFileName: process.pe.original_file_name + CommandLine: process.command_line + rule_conditions: + - type: logsource + category: process_creation + + - id: field_mapping_security + type: field_name_mapping + mapping: + CommandLine: process.command_line + SubjectLogonId: winlog.logon.id + ServiceName: service.name + SubjectDomainName: user.domain + SubjectUserName: user.name + SubjectUserSid: user.id + TargetLogonId: winlog.logon.id + rule_conditions: + - type: logsource + service: security + + - id: windows_field_prefix + type: field_name_prefix + prefix: "winlog.event_data." + field_name_cond_not: true + field_name_cond_op: or + field_name_conditions: + - type: processing_item_applied + processing_item_id: field_mapping + - type: processing_item_applied + processing_item_id: field_mapping_driver_loaded + - type: processing_item_applied + processing_item_id: field_mapping_image_load + - type: processing_item_applied + processing_item_id: field_mapping_network_connection + - type: processing_item_applied + processing_item_id: field_mapping_powershell_classic + - type: processing_item_applied + processing_item_id: field_mapping_process_creation + - type: processing_item_applied + processing_item_id: field_mapping_security + + - id: index_condition + type: add_condition + conditions: + index: winlogbeat + rule_conditions: + - type: logsource + product: windows diff --git a/misc/field_mapping.yml b/misc/field_mapping.yml new file mode 100644 index 0000000..771e1f6 --- /dev/null +++ b/misc/field_mapping.yml @@ -0,0 +1,43 @@ +name: Fixing the field naming mess +priority: 30 +transformations: +- id: image_fail_path + type: detection_item_failure + message: Image must only contain file name without any further path components. + field_name_conditions: + - type: include_fields + fields: + - Image + detection_item_conditions: + - type: match_string + cond: any + pattern: "^\\*\\\\?[^\\\\]+$" + negate: true +- id: image_file_only + type: replace_string + regex: "^\\*\\\\([^\\\\]+)$" + replacement: "\\1" + field_name_conditions: + - type: include_fields + fields: + - Image +- id: field_mapping + type: field_name_mapping + mapping: + EventID: + - event_id + - evtid +- id: windows_field_prefix + type: field_name_prefix + prefix: "win." + field_name_cond_not: true + field_name_conditions: + - type: processing_item_applied + processing_item_id: field_mapping +- id: index_condition + type: add_condition + conditions: + index: windows + rule_conditions: + - type: logsource + product: windows \ No newline at end of file diff --git a/misc/placeholders.yml b/misc/placeholders.yml new file mode 100644 index 0000000..c747421 --- /dev/null +++ b/misc/placeholders.yml @@ -0,0 +1,18 @@ +name: Placeholder example +priority: 10 +allowed_backends: +- splunk +transformations: +- id: value_placeholders + type: value_placeholders + include: + - client +- id: generic_query_excpression_placeholders + type: query_expression_placeholders + include: + - client_operations + expression: "[ inputlookup {id} | rename dest as {field} ]" +vars: + client: + - "DESKTOP-*" + - "NOTEBOOK-*" \ No newline at end of file diff --git a/misc/processing.yml b/misc/processing.yml new file mode 100644 index 0000000..771e1f6 --- /dev/null +++ b/misc/processing.yml @@ -0,0 +1,43 @@ +name: Fixing the field naming mess +priority: 30 +transformations: +- id: image_fail_path + type: detection_item_failure + message: Image must only contain file name without any further path components. + field_name_conditions: + - type: include_fields + fields: + - Image + detection_item_conditions: + - type: match_string + cond: any + pattern: "^\\*\\\\?[^\\\\]+$" + negate: true +- id: image_file_only + type: replace_string + regex: "^\\*\\\\([^\\\\]+)$" + replacement: "\\1" + field_name_conditions: + - type: include_fields + fields: + - Image +- id: field_mapping + type: field_name_mapping + mapping: + EventID: + - event_id + - evtid +- id: windows_field_prefix + type: field_name_prefix + prefix: "win." + field_name_cond_not: true + field_name_conditions: + - type: processing_item_applied + processing_item_id: field_mapping +- id: index_condition + type: add_condition + conditions: + index: windows + rule_conditions: + - type: logsource + product: windows \ No newline at end of file diff --git a/splunk/splunk-savedsearches-concat.yml b/splunk/splunk-savedsearches-concat.yml new file mode 100644 index 0000000..f001312 --- /dev/null +++ b/splunk/splunk-savedsearches-concat.yml @@ -0,0 +1,13 @@ +postprocessing: +- type: template + template: |+ + [{{ rule.id }}] + search = {{ query }} | eval rule="{{ rule.id }}", title="{{ rule.title }}" | collect index=notable_events + description = {{ rule.description }} +finalizers: +- type: concat + prefix: | + [default] + cron_schedule = */15 * * * * + dispatch.earliest_time = -20m@m + dispatch.latest_time = -5m@m \ No newline at end of file diff --git a/splunk/splunk-savedsearches-template.yml b/splunk/splunk-savedsearches-template.yml new file mode 100644 index 0000000..7be78b0 --- /dev/null +++ b/splunk/splunk-savedsearches-template.yml @@ -0,0 +1,14 @@ +postprocessing: +- type: template + template: |+ + [{{ rule.id }}] + search = {{ query }} | eval rule="{{ rule.id }}", title="{{ rule.title }}" | collect index=notable_events + description = {{ rule.description }} +finalizers: +- type: template + template: | + [default] + cron_schedule = */15 * * * * + dispatch.earliest_time = -20m@m + dispatch.latest_time = -5m@m + {{ queries | join('\n') }} \ No newline at end of file